New virus

Julian Field MailScanner at ecs.soton.ac.uk
Thu Jan 12 19:33:26 GMT 2006 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Kevin Miller wrote:
> Julian Field wrote:
>   
>> Scott Silva wrote:
>>
>>     
>>> Julian Field spake the following on 1/12/2006 6:23 AM:
>>>
>>>
>>>       
>>>> The filename.rules.conf should by default be trapping *.hta files,
>>>> even inside zip files. So it should still be caught by MailScanner,
>>>> even without the AV engines. 
>>>>
>>>>
>>>>
>>>>         
>>> But having Maximum Archive Depth = 0 will prevent MailScanner from
>>> catching this in zip files, won't it?
>>>
>>>
>>>       
>> Yes. That is your choice to use that setting, I don't personally
>> advise it. 
>>     
>
> What are the implications of setting Maximum Archive Depth = 2 (the
> default IIRC) and Allow Password-protected Archives = no?  Will that
> break anything?
>
> The comments indicate that the archive depth should be set to 0 if
> disabling password-protected archives.  I have a rules file for password
> protected archives, but it defaults for no.  I like the protection from
> the passworded zip virus files, but would also like to insure that I'm
> protected on the hta, etc. front.
>
> And if I do set the archive depth back to 2, won't I start putting the
> kiebosh on legitimate .exe, and other files that folks zip to get past
> the normal attachment checking?  Don't know how much of an issue that is
> right now but you know how users can get....
>
> ...Kevin
>   
Yes, if you put the archive depth to 2, people won't be able to hide 
exes by putting them in zip files.
If you do that, you will definitely need a way for users to pull files 
out of quarantine.

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list